From Europol, today:
The illegal marketplace ‘RaidForums’ has been shut down and its infrastructure seized as a result of Operation TOURNIQUET, a complex law enforcement effort coordinated by Europol to support independent investigations of the United States, United Kingdom, Sweden, Portugal, and Romania. The forum’s administrator and two of his accomplices have also been arrested.
Launched in 2015, RaidForums was considered one of the world’s biggest hacking forums with a community of over half a million users. This marketplace had made a name for itself by selling access to high-profile database leaks belonging to a number of US corporations across different industries. These contained information for millions of credit cards, bank account numbers and routing information, and the usernames and associated passwords needed to access online accounts.
These datasets were obtained from data breaches and other exploits carried out in recent years.
Turning the tables on the hackers
Operation TOURNIQUET, coordinated at the international level by Europol’s European Cybercrime Centre, was the culmination of a year of meticulous planning between the law enforcement authorities involved in preparation for the action.
The partners have been working closely together within the framework of the Joint Cybercrime Action Taskforce (J-CAT) hosted at Europol to identify the key targets and establish a coordinated strategy to prepare for the final phase of the investigation.
This intense exchange of information enabled the investigators to define the different roles the targets played within this marketplace, i.e.: the administrator, the money launderers, the users in charge of stealing/uploading the data, and the buyers.
The Head of Europol’s European Cybercrime Centre, Edvardas Šileris, said:
Disruption has always been a key technique in operating against threat actors online, so targeting forums that host huge amounts of stolen data keeps criminals on their toes. Europol will continue working with its international partners to make cybercrime harder – and riskier –to commit.
The following authorities have taken part in this investigation:
- Sweden: Swedish Police Authority (Polisen)
- Romania: National Police
- Portugal: Judicial Police
- Germany: Federal Criminal Police Office (Bundeskriminalamt)
- United States: US Secret Service (USSS), Federal Bureau of Investigation (FBI), Internal Revenue Service Criminal Investigation (IRS-CI)
- United Kingdom: National Crime Agency (NCA)
- Europol: European Cybercrime Centre (EC3), Joint Cybercrime Action Taskforce (J-CAT)
Source: Europol
The owner and accomplices were not named in Europol’s notice. But then there’s the DOJ press release, below:
United States Leads Seizure of One of the World’s Largest Hacker Forums and Arrests Administrator
The Department of Justice today announced the seizure of the RaidForums website, a popular marketplace for cybercriminals to buy and sell hacked data, and unsealed criminal charges against RaidForums’ founder and chief administrator, Diogo Santos Coelho, 21, of Portugal. Coelho was arrested in the United Kingdom on Jan. 31, at the United States’ request and remains in custody pending the resolution of his extradition proceedings.
Court records unsealed today indicate that the United States recently obtained judicial authorization to seize three domains that long hosted the RaidForums website. These domains were “raidforums.com,” “Rf.ws,” and “Raid.lol.” According to the affidavit filed in support of these seizures, from in or around 2016 through February 2022, RaidForums served as a major online marketplace for individuals to buy and sell hacked or stolen databases containing the sensitive personal and financial information of victims in the United States and elsewhere, including stolen bank routing and account numbers, credit card information, login credentials and social security numbers.
“The takedown of this online market for the resale of hacked or stolen data disrupts one of the major ways cybercriminals profit from the large-scale theft of sensitive personal and financial information,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division. “This is another example of how working with our international law enforcement partners has resulted in the shutdown of a criminal marketplace and the arrest of its administrator.”
“Our interagency efforts to dismantle this sophisticated online platform – which facilitated a wide range of criminal activity – should come as a relief to the millions victimized by it, and as a warning to those cybercriminals who participated in these types of nefarious activities,” said U.S. Attorney Jessica D. Aber for the Eastern District of Virginia. “Online anonymity was not able to protect the defendant in this case from prosecution, and it will not protect other online criminals either.”
“The seizure of the RaidForums website – which facilitated the sale of stolen data from millions of people throughout the world – and the charges against the marketplace’s administrator are a testament to the strength of the FBI’s international partnerships,” said Assistant Director in Charge Steven M. D’Antuono of the FBI’s Washington Field Office said. “Cybercrime transcends borders, which is why the FBI is committed to working with our partners to bring cybercriminals to justice – no matter where in the world they live or behind what device they try to hide.”
“This global investigation signifies the remarkable dedication of the U.S. Secret Service and highlights our partnerships with our foreign law enforcement counterparts essential to disrupting sophisticated networks of cyber criminals,” said Special Agent in Charge Jason D. Kane of the U.S. Secret Service’s Criminal Investigative Division. “This case exemplifies teamwork at all levels of law enforcement to stop these cyber criminals from defrauding citizens of the United States and in our partner countries.”
Prior to its seizure, RaidForums members used the platform to offer for sale hundreds of databases of stolen data containing more than 10 billion unique records for individuals residing in the United States and internationally. At the time of its founding in 2015, RaidForums also operated as an online venue for organizing and supporting forms of electronic harassment, including by “raiding” – posting or sending an overwhelming volume of contact to a victim’s online communications medium – or “swatting” – the practice of making false reports to public safety agencies of situations that would necessitate a significant, and immediate armed law enforcement response.
The seizure of these domains by the government will prevent RaidForums members from using the platform to traffic in data stolen from corporations, universities and governmental entities in the United States and elsewhere, including databases containing the sensitive, private data of millions of individuals around the world.
In addition, a six-count indictment against Coelho was unsealed in the Eastern District of Virginia charging him with conspiracy, access device fraud and aggravated identify theft in connection with his role as the chief administrator of RaidForums. According to the indictment, between Jan. 1, 2015, and on or about Jan. 31, 2022, Coelho allegedly controlled and served as the chief administrator of RaidForums, which he operated with the help of other website administrators. As administrators, Coelho and his co-conspirators are alleged to have designed and administered the platform’s software and computer infrastructure, established and enforced rules for its users, and created and managed sections of the website dedicated to promoting the buying and selling of contraband, including a subforum titled “Leaks Market” that described itself as “[a] place to buy/sell/trade databases and leaks.”
To profit from the illicit activity on the platform, RaidForums charged escalating prices for membership tiers that offered greater access and features, including a top-tier “God” membership status. RaidForums also sold “credits” that provided members access to privileged areas of the website and enabled members to “unlock,” and download stolen financial information, means of identification, and data from compromised databases, among other items. Members could also earn credits through other means, such as by posting instructions on how to commit certain illegal acts.
According to the indictment, Coelho also personally sold stolen data on the platform, and directly facilitated illicit transactions by operating a fee-based “Official Middleman” service. For the Official Middleman service, Coelho allegedly acted as a trusted intermediary between RaidForums members seeking to buy and sell contraband on the platform, including hacked data. Notably, to create confidence amongst transacting parties, the Official Middleman service enabled purchasers and sellers to verify the means of payment and contraband files being sold prior to executing the transaction.
Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division; U.S. Attorney Jessica D. Aber for the Eastern District of Virginia; Special Agent in Charge Jason D. Kane of the U.S. Secret Service’s Criminal Investigative Division; and Assistant Director Steven M. D’Antuono of the FBI’s Washington Field Office made the announcement.
Senior Trial Attorney Aarash Haghighat of the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) and Assistant U.S. Attorney Carina A. Cuellar for the Eastern District of Virginia are prosecuting the case against Coelho. The Justice Department’s Office of International Affairs provided significant assistance throughout the criminal investigation.
The law enforcement actions against RaidForums and Coelho are the result of an ongoing criminal investigation by the FBI’s Washington Field Office and the U.S. Secret Service. The department also thanks the support provided by Joint Cybercrime Action Taskforce (Europol), National Crime Agency (UK), Swedish Police Authority (Sweden), Romanian National Police (Romania), Judicial Police (Portugal), Internal Revenue Service Criminal Investigation, Federal Criminal Police Office (Germany) and other law enforcement partners.
Anyone that has any information regarding Coelho or RaidForums should file a complaint at ic3.gov with #RaidForums in the description.
An indictment is merely an allegation, and all defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
Attachment(s):
Download Coelho Indictment
Update 1,3: The UK’s NCA reports that a suspected admin was arrested at his home (in Croydon) in March and has been released under investigation. At the time, they seized £5,000 in cash, thousands in US dollars and put a freeze on crypto assets worth more than half a million dollars. Note: It is not clear whether the NCA is referring to Coelho (“Omni”) or another individual as other documents say that Coelho was arrested on January 31. The NCA’s press release said:
An online forum that provided criminals with stolen personal data has been taken down in an international operation, which has also seen the NCA arrest a suspected site controller.
Under Operation Tourniquet, the National Crime Agency and partners in the US, Europol and four other countries, took action to close ‘RaidForums’ and carried out a number of linked arrests.
One of those was a 21 year-old from Croydon, who the NCA arrested at his home in March.
He is suspected of being an administrator on the website and has since been released under investigation.
At the time of his arrest, officers seized £5,000 in cash, thousands in US dollars and put a freeze on crypto assets worth more than half a million dollars.
Update 2,3: The docket was unsealed by the court, but a lot of files are not yet available. The docket shows that Coelho was first indicted and an arrest warrant for him was issued — both on May 6, 2021. There were two subsequent superseding indictments in February and March of 2022, each accompanied by a new arrest warrant. On March 17, the U.S. filed an affidavit in support of request for extradition.